From metadata to model-driven OT security, or why you don't really need content

May 17, 2016

From all the OT security startups in the last couple of years, the vast majority focuses on network monitoring, trying to identify malicious packets in realtime. No matter if you look at Dragos, NexDefense, RadiFlow, SecurityMatters (to name just a few), their basic technology is deep packet inspection, even when it is called more fancy names like “deep protocol behavior inspection”. In this niche, the terms of the trade are PCAP (packet capture) files, IP addresses, and anomaly detection.

However, this trend, if it is one, may be driven more by the capability of software developers to use Snort rather than by the technology’s demonstrated great success in spotting cyber-physical attacks (the more sophisticated ones will never show up in wire traffic). Even more puzzling, the deep packet inspection game with its obvious self-limitation to network packets is anything but logical. Let’s examine why.

Context beats content

After bulk processing of telecommunications had technically become feasible, something seemingly counter-intuitive happened in the intelligence community: The National Security Agency went from analyzing content (of phone calls, emails etc.) to metadata, such as who was contacted by whom, when, how often etc.

Not only does this approach put much less burden on information processing, it also proved to be much more valid. Surprise! Content is subject to interpretation, while metadata is hard facts. Former NSA general counsel Stewart Baker was quoted saying: “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.” Yes, you read correctly: You don’t really need content. Such is the thinking of the masters of the espionage universe.

Former NSA chief Michael Hayden even topped Baker by adding: “We kill people based on metadata”, making it drastically clear how, eh, powerful metadata really is. The statement also suggests that the NSA apparently is pretty confident in their capability to avoid false positives.

Breaking out of the packet sniffing box

Back to the plant floor: Why would anybody limit themselves to study only meaningless IP addresses and transient data packets? Why not talk about a reactor protection system, for example, and its digital trust chains to operator stations and engineering software? For the asset owner, the real-world plant environment is anything but unknown. It is precisely this real-world, contextual knowledge that makes for the biggest advantage of the defender over the attacker.

Such characterizes the approach we have taken with the myRIPE OT Management System. In technical terms, myRIPE is a hybrid CMDB, intrusion detection system, and analytics tool. It provides ICS engineers with the means to model, monitor, and analyze their cyber-physical environment by associating digital configuration with analog context, such as location, or process function, and physical limits of equipment. And even with people, such as contractors and their laptops! It empowers the ICS engineer with unprecedented transparency of his or her cyber-physical ecosystem, its structural vulnerabilities, and potential breaches of configuration integrity.

myRIPE allows organizations to leverage the most powerful resource in the OT security game that was ignored for years: The ICS engineer who has the best insight into plant systems and their functions. This engineer may have a planning role, may test and commission systems, or maintain and extend them. Providing these engineers the tools for high-fidelity cyber-physical modeling improves maintainability, too. Just like the intelligence community has learned the value of human analysts over algorithms, the OT community starts to understand that engineering experience can beat fancy algorithms hands-down.